Merge branch 'master' into master

2019-11-21 16:21:44 +01:00 · 2019-11-21 16:21:44 +01:00 · 6750d2b65c
parent 1a0dd2292b 8240fe1722
commit 6750d2b65c
2 changed files with 46 additions and 4 deletions
--- a/clusters/ransomware.json
+++ b/clusters/ransomware.json
@ -13548,7 +13548,31 @@
      },
      "uuid": "5cea5548-1e3c-222a-3faf-022d461260b5",
      "value": "DoppelPaymer"
+    },
+    {
+      "description": "This crypto ransomware encrypts enterprise LAN data with AES (ECB mode), and then requires a ransom in # BTC to return the files.",
+      "meta": {
+        "encryption": "AES",
+        "refs": [
+          "https://id-ransomware.blogspot.com/2019/01/unnamed-desync-ransomware.html"
+        ]
+      },
+      "uuid": "6cea5546-1e2c-333a-4faf-033d461360b5",
+      "value": "Desync"
+    },
+    {
+      "description": "Maze Ransomware encrypts files and makes them inaccessible while adding a custom extension containing part of the ID of the victim. The ransom note is placed inside a text file and an htm file. There are a few different extensions appended to files which are randomly generated.",
+      "meta": {
+        "encryption": "ChaCha20 and RSA",
+        "refs": [
+          "https://malpedia.caad.fkie.fraunhofer.de/details/win.maze",
+          "https://www.bleepingcomputer.com/news/security/maze-ransomware-now-delivered-by-spelevo-exploit-kit/",
+          "https://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us"
+        ]
+      },
+      "uuid": "7cea8846-1f3d-331a-3ebf-055d452351b6",
+      "value": "Maze"
    }
  ],
-  "version": 70
+  "version": 72
 }
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@ -1060,7 +1060,8 @@
          "APT27",
          "Operation Iron Tiger",
          "Iron Tiger APT",
-          "BRONZE UNION"
+          "BRONZE UNION",
+          "Lucky Mouse"
        ]
      },
      "related": [
@ -1982,7 +1983,10 @@
        "attribution-confidence": "50",
        "country": "IR",
        "refs": [
-          "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html"
+          "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html",
+          "https://blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/",
+          "https://www.brighttalk.com/webcast/10703/275683",
+          "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage"
        ],
        "synonyms": [
          "APT 33",
@ -7782,7 +7786,21 @@
      },
      "uuid": "75db4269-924b-4771-8f62-0de600a43634",
      "value": "Operation WizardOpium"
+    },
+    {
+      "description": "For the first time, the activity of the Calypso group was detected by specialists of PT Expert Security Center in March 2019, during the work to detect cyber threats. As a result, many malware samples of this group were obtained, affected organizations and control servers of intruders were identified. According to our data, the group has been active since at least September 2016. The main goal of the group is to steal confidential data, the main victims are government agencies from Brazil, India, Kazakhstan, Russia, Thailand, Turkey. Our data suggest that the group has Asian roots. Description translated from Russian.",
+      "meta": {
+        "refs": [
+          "https://www.ptsecurity.com/upload/corporate/ru-ru/analytics/calypso-apt-2019-rus.pdf"
+        ],
+        "synonyms": [
+          "Calypso",
+          "Calypso APT"
+        ]
+      },
+      "uuid": "200d04c8-a11f-45c4-86fd-35bb5de3f7a3",
+      "value": "Calypso group"
    }
  ],
-  "version": 140
+  "version": 143
 }